Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MAJOR vulnerability: bump httpclient for 4.5.2 to 4.5.3 #62

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

MethodLevelAnalyzer
Copy link

Vulnerability Information

Bumps apache-httpclient from 4.5.2 to 4.5.3.

Listed dependency org.apache.httpcomponents:httpclient contains vulnerable methods which are called from this project. This vulnerability appears to affect httpclient package versions lower than 4.5.3 (excluding). The vulnerability has been fixed in version 4.5.3, as can be seen from the package release notes.

Property Value
Linked CVE HTTPCLIENT-1803
Number of affected methods 5
Severity MAJOR
Current version 4.5.2
Updated version 4.5.3
Backwards Compatibility True

Vulnerable method calls

Methods in this repository Used package methods Origin vulnerable method
com.visenze.visearch.internal.http/
ViSearchHttpClientImpl.executeRequest(HttpUriRequest request)
org.apache.http.impl.client/
CloseableHttpClient.execute(HttpUriRequest request)
org.apache.http.client.util/
URIBuilder.normalizePath(String path)
com.visenze.visearch.internal.http/
ViSearchHttpClientImpl.buildPostRequest(String url, Multimap<String, String> params)
org.apache.http.client.methods/
RequestBuilder.build()
org.apache.http.client.util/
URIBuilder.normalizePath(String path)
com.visenze.visearch.internal.http/ViSearchHttpClientImpl.buildPostUri(String url) org.apache.http.client.utils/
URIBuilder.build()
org.apache.http.client.util/
URIBuilder.normalizePath(String path)
com.visenze.visearch.internal.http/ViSearchHttpClientImpl.buildGetRequest(String url, Multimap<String, String> params) org.apache.http.client.methods/
RequestBuilder.build()
org.apache.http.client.util/
URIBuilder.normalizePath(String path)
com.visenze.visearch.internal.http/ViSearchHttpClientImpl.buildGetUri(String url, List nameValuePairList) org.apache.http.client.utils/
URIBuilder.build()
org.apache.http.client.util/
URIBuilder.normalizePath(String path)

What do the columns represent?

The 1st column in the table indicates the method in this repository that was found to be affected by vulnerable methods from the httpclient package.

The 2nd column indicates the httpclient method that was directly called from this repository.

The 3rd column indicates the origin vulnerable method in the httpclient package. According to our dataset, this is one of the methods that produces the HTTPCLIENT-1803 vulnerability. This method was found to be internally chain-called in the httpclient package by the method listed in column 2.

How were the results generated?

This vulnerability was analyzed specifically for usage in this project using the FASTEN Project. Statical method-level analysis was used to check for usage of vulnerable methods in the project.

Method calls between your project and httpclient have been mapped into a directed graph. From this graph, we
could then see whether any vulnerable httpclient methods are being called from within your project.

Research Scope

We are a team of 3 BSc Computer Science students at the TU Delft. Our goal is to conduct research on how developers react to method-level vulnerability information that affects their projects. We would highly appreciate if you could help us with our research and please tick statements which apply to you below.

First impression checklist

  • I have read this pull request description.
  • I was aware of this dependency vulnerability affecting my project before being informed by this Pull Request.
  • I was convinced by the provided method information that this vulnerability indeed affects my project.
  • After seeing the provided method-level information, I plan on fixing the vulnerability.

After fixing vulnerability checklist

  • I found that the provided method information has made my process of dealing with the vulnerable dependency easier.
  • I have given priority to the task of fixing the vulnerability over other project tasks that are yet to be completed.
  • I would like to receive this kind of method information in future vulnerable dependency Pull Request descriptions.

@devops-guard
Copy link

devops-guard bot commented Jun 6, 2021

Jira Ticket Check

The PR title MAJOR vulnerability: bump httpclient for 4.5.2 to 4.5.3 doesn't appear to contain a valid Jira ticket, please check again!

@devops-guard
Copy link

devops-guard bot commented Jun 6, 2021

Sensitive Data Scan

This PR doesn't seem to contain any sensitive data.

@codeclimate
Copy link

codeclimate bot commented Jun 6, 2021

Code Climate has analyzed commit 06aba96 and detected 0 issues on this pull request.

View more on Code Climate.

@coveralls
Copy link

Coverage Status

Coverage increased (+0.0%) to 80.241% when pulling 06aba96 on MethodLevelAnalyzer:methodlevelanalyzer/httpclient-4.5.3 into 50f21e0 on visenze:master.

@MethodLevelAnalyzer
Copy link
Author

Hi, I am contacting you on behalf of the research team from the Technical University of Delft, The Netherlands. In our recent study, we have carefully selected a limited number of active and professional repositories from the open-source community to learn from. So every feedback counts! :)

We appreciate it if you could contribute to our research by answering just a few questions (either using the above checkboxes or the fully anonymous questionnaire from here: https://forms.gle/n6oXZUwYysMUnVDn6). This will take less than a minute.
Moreover, we will give credit to your repository in the upcoming paper.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants